If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ProFTPD how-to

ProFTPD is a secure (as secure as an insecure protocol can be), simple, and easily configured FTP Server.

This document covers the creation of a secure, multiuser FTP Server. This document does not attempt to explain every directive available for the proftpd.conf file. This document does not attempt to explain how to start and stop the ProFTPD daemon as this process varies based on what *nix / BSD Distribution you are running the daemon on. This article does assume general familiarity with *nix / BSD system administration such as adding users, setting user passwords, creating directories, etc.

Before we start; the title of this article is a bit of a misnomer since FTP in its self is an insecure protocol due to the fact that it does not encrypt usernames, passwords, or data. If you require a totally secure method of transferrring files, I suggest that you look into SCP, which is an extension to the SSH (Secure Shell) Protocol.

Premise

We will be working with three "levels" of security to secure our server. Our first layer of "security" is to jail all FTP users in a chroot jail. Luckily, ProFTPD provides a built-in facility for this purpose. Our second layer of protection needed for a "secure" FTP Server is to deny a valid shell to the FTP users. Our third layer of security is to notuse account names for real users as FTP accounts, this is irrelevant in the scope of this tutorial because because we will be setting up FTP users with invalid shells.

I : Preparing the System

To deny a valid shell to the FTP users, the /etc/shells file will need to be edited. This file contains all the valid FTP shells. We want to add an executable that does nothing to this file so we can assign this “nothing” executable to the FTP users so that they have no shell if they break out of the chrooot jail.

Add the following line to /etc/shells:

Code:

/bin/false

(/bin/false) does nothing – check out the man page if you wish.

We also want to secure the directory where we will be storing the FTP Server's files, create a new group using whichever tool you normally use and call it ftp-users.

II : Create The FTP File Area

Decide on a base (root) directory where you wish to keep all the uploaded and downloadable files for your FTP Server. In this document, I will refer to this directory as /ftproot. Create the following directory structure below it.

/ftproot/upload

/ftproot/download

Next, set the permissions on the ftp directory structure.
chown -R ftp.ftpusers /ftproot

Code:

chmod -R 770 /ftproot

III: Create FTP Users

We already know why it is not a good idea to use valid user accounts for FTP. So let's create some FTP users.

Using whatever tool you normally use to create users, create some special FTP accounts. I suggest that you use the useradd tool instead of adduser as useradd does not create a home directory unless you specify it (we do not want to create standard home directories for the FTP users). I use the following format for ftp user names.

Ftp. For example, John Doe's FTP account would be ftpjd (I will use ftpjd as an example FTP account for the rest of this document)

If you accidentally created a home directory (/home/ftpjd) for the FTP user, delete it now.

Next, we want to give the user an invalid shell, put him or her in the ftp-users group, add a comment to the user's file that identifies the user as an FTP user, and change his or her home directory to the root directory of our FTP server. Edit the /etc/passwd file OR use the usermod tool as in the example below.

Code:

usermod -c FTP -d /ftproot -g ftp-users -s /bin/false ftpjd

IV: Configure ProFTPD

First, we will set the chroot jailing. The chroot jailing in ProFTPD works with the home directory that is set for the user in /etc/passwd. Since we changed all of our FTP users' home directories to /ftproot, they will all start off jailed in /ftproot when they log in to our FTP server. Configuring the chroot jail inProFTPD is as simple as adding the following line to your /etc/proftpd.conf file somewhere in the first half of the file.

Code:

#Jail all users
DefaultRoot ~

Next, we will add permissions directives for our FTP directory structure. Add the following to the end of your /etc/proftpd.conf file.

The directives above set the server to read only in all directories except the upload directory. This allows the admin to control which files are made public. For more detailed information on these directives, please see the ProFTPD documentation.

Start up your ProFTPD Daemon and you finished.

V : A Working ProFTPD Configuration

I have bolded some of the important directives in the example configuration that this document does not cover that you should look up in the ProFTPD documentation.